Microsoft designed the .NET Framework with careful thought
to security, making it one of the most secure development environments ever.
That certainly isn't meant to say that it is
secure; there are far too many flaws found in almost any widely deployed
software product to claim complete security. But .NET meets many of the needs
of secure applications and the .NET Framework provides a host of security
services.

Encryption is one of the strongest security features in
the .NET Framework, with rich support for widely used encryption and hashing
algorithms. It is highly extensible so that you can take advantage of new
algorithms and new implementations of new algorithms easily through
configuration files. Many features are built on top of the Windows Crypto API,
while many others are available only in .NET. Its features are designed to
allow the protection of transient data only while it is moving across the
network, as well as secure, long-term storage of sensitive data.

Encrypting data in .NET requires a few simple steps,
assuming that you understand enough about which algorithms to use and how to
use them securely:

'Get the plaintext and put it into a memory stream

Dim mStream As MemoryStream = New MemoryStream

Dim binMemWriter As BinaryWriter = New BinaryWriter(mStream)

binMemWriter.Write(txtPlaintext.Text)

mStream.Position = 0

'Define the algorithm: here, use TripleDES, using the default
implementation

Simple, right? Unfortunately, the really hard part is
embodied in the comment in the decryption code about reading the key from "some
secure storage location." Key management is very difficult in any application
of encryption. If you use symmetric encryption you have a shared secret that
one party needs to transmit securely to another party so that they can
alternately encrypt and decrypt data. If you use asymmetric encryption - such
as with public and private key pairs - you still have to store your private key
securely. These are not easy things to do securely. Doing it wrong can open huge
security holes in custom applications, and particularly in Web applications.

That's why one of the most useful encryption technologies
isn't a part of .NET at all. Instead, it is part of all desktop and server
versions of Windows since Windows 2000. It is called the Data Protection API
(DPAPI) and acts as a vehicle for encrypting data as well as using the deepest,
most secure bowels of Windows to protect your data. It can greatly simplify the
code you need to write while taking care of securely storing encryption keys.
Used correctly, it can even protect data from rogue applications running under
the same login used to encrypt the data in the first place.

In the next few installments of this column, I'll cover in
more detail what DPAPI can and can't do for you and explore some of the ways
you can get around its limitations when used with ASP.NET applications.

Don Kiely is senior
technology consultant for Information Insights, a business and technology
consultancy in Fairbanks, Alaska. E-mail him at mailto:[email protected].